7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3

Analysis

max time kernel
60s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2022, 11:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe
Size

8.5MB
MD5

3ca11cf521167682217f50f518042dd4
SHA1

a05b8c003d0055cf518bf9d1a1c2834b71510342
SHA256

7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3
SHA512

efb2af073de82f701bf0017e036371dfab9109a8a290e62a3ed1961a7e59f2bd673bbe0bbce2d722bc6448069318bafec2701fc442aea0e439e4e57765c4bd81
SSDEEP

196608:G7PkOJxfcwTDFHX7dvTjEOvfr9mIVbYQLiTItv3mCN3D34:8PkexEsHhvsOvf8aYQdv3mCFo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	PPTVIEW.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	PPTVIEW.EXE
1804	PPTVIEW.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4640	4776	7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe	80
PID 4776 wrote to memory of 4640	4776	7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe	80
PID 4776 wrote to memory of 4640	4776	7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe	80
PID 4640 wrote to memory of 1804	4640	cmd.exe	83
PID 4640 wrote to memory of 1804	4640	cmd.exe	83
PID 4640 wrote to memory of 1804	4640	cmd.exe	83
PID 4640 wrote to memory of 1804	4640	cmd.exe	83
PID 4640 wrote to memory of 1804	4640	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe
"C:\Users\Admin\AppData\Local\Temp\7323d25208f99cbbe9cca8da4187a119d7ed9be500968b7a7f16b5dc5885d0c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PPTVIEW.EXE
    PPTVIEW.EXE /L "playlist.txt"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804

Network

No results found

93.184.220.29:80

322 B
7
104.80.225.205:443

322 B
7
20.42.73.26:443

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\OGL.DLL

Filesize
1.6MB

MD5
771e968f072bdcc1a84870002e315842

SHA1
0d4a47eb49a8dcd3a7864de148d98162f7a25445

SHA256
f2f083548ff28ead2573516afe67b1e0a181270c814f318cf4d403cdd954de91

SHA512
fc3e4e9dec36bce356d1978419beabfd1e51fe199779798192d6b594baf9e60c3fb1f2289dd583f0c0d1724e2aaff619a85f69dab773c7f6004da72eefbcb1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PPTVIEW.EXE

Filesize
1.9MB

MD5
c6a24d8fefba44ecae8d2f02e18866be

SHA1
faea579ccee92c2fb780d06a5faed9a58869f49d

SHA256
fcdfa4ca411b2c7492ae9be2c1fa8660b8e832d1ed0ceb54cfc423a3f73c5467

SHA512
81bf32782e33f18e8faebedbe6640b6a22e04977a7191a104bfed832f9bae5d96f9c5c2aacf1fad0561a09359a5712b7c99aa8e17f54437bd49794c903823676

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PPTVIEW.EXE

Filesize
1.9MB

MD5
c6a24d8fefba44ecae8d2f02e18866be

SHA1
faea579ccee92c2fb780d06a5faed9a58869f49d

SHA256
fcdfa4ca411b2c7492ae9be2c1fa8660b8e832d1ed0ceb54cfc423a3f73c5467

SHA512
81bf32782e33f18e8faebedbe6640b6a22e04977a7191a104bfed832f9bae5d96f9c5c2aacf1fad0561a09359a5712b7c99aa8e17f54437bd49794c903823676

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PPVWINTL.DLL

Filesize
319KB

MD5
9a60a0ad72a65a7511cf5cbc4fd1c3f7

SHA1
711abefcb5db45428a74b16d632ac1335c18c6b3

SHA256
18e44e82da94537a45ffeb5b9c9085082a40d9e2d660e8e5bd78d9a87b6245c2

SHA512
01d32823cee5daf869aa4389f7940533eef1c7b943af2e2d44f2f261b54eb879edf52746e1973b099471a6320e1d1a3ba81e2301279c230aa188fb164ad6ca32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ogl.dll

Filesize
1.6MB

MD5
771e968f072bdcc1a84870002e315842

SHA1
0d4a47eb49a8dcd3a7864de148d98162f7a25445

SHA256
f2f083548ff28ead2573516afe67b1e0a181270c814f318cf4d403cdd954de91

SHA512
fc3e4e9dec36bce356d1978419beabfd1e51fe199779798192d6b594baf9e60c3fb1f2289dd583f0c0d1724e2aaff619a85f69dab773c7f6004da72eefbcb1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.bat

Filesize
30B

MD5
b7d94018ad8a49b0cf2fd7a9cdef943e

SHA1
67741ee33c4830aeeb8138a05ee33d32539ec2c7

SHA256
30c9405432c25f615f893e2a7a86589631415d17eb88439e3532d24dda988948

SHA512
9950e32944e359c3874bfd8f899880fc7a6d508655a6ee26d315daec64d227ca7b1df91ba396fb2fe401f7cfb5d669ae8fb4ed8946f857b0f3a93e0de9827cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ppvwintl.dll

Filesize
319KB

MD5
9a60a0ad72a65a7511cf5cbc4fd1c3f7

SHA1
711abefcb5db45428a74b16d632ac1335c18c6b3

SHA256
18e44e82da94537a45ffeb5b9c9085082a40d9e2d660e8e5bd78d9a87b6245c2

SHA512
01d32823cee5daf869aa4389f7940533eef1c7b943af2e2d44f2f261b54eb879edf52746e1973b099471a6320e1d1a3ba81e2301279c230aa188fb164ad6ca32

Download Submit